linksys WRT54GX2 replay counter bug?

Chuck T. freebsdfan at
Tue Sep 5 12:39:37 EDT 2006

Have you had a chance to look at my log and do you agree it's a Linksys bug? 
  I'm suprised something this glaring has been around for so long 
particularly when their other APs don't have the problem.  Perhaps they 
farmed out the firmware for this AP to a different company than they used 
for their other APs.  Who knows...


>From: Jouni Malinen <jkmaline at>
>To: hostap at
>Subject: Re: linksys WRT54GX2 replay counter bug?
>Date: Sun, 3 Sep 2006 08:14:55 -0700
>On Sun, Sep 03, 2006 at 08:07:18AM -0700, Chuck T. wrote:
> > I'm having a problem with wpa_supplicant and a WRT54GX2 w/ the latest
> > firmware.  Sometimes it works, but most of the time the reply_counter of 
> > message 1 of Group Key Handshake" is the same as that of the "RX message 
> > of 4-Way Handshake".  As a result wpa_supplicant fails (correctly) with 
> > "WPA: EAPOL-Key Replay Counter did not increase - dropping packet" 
>Could you please send a wpa_supplicant debug log showing this behavior?
>I would like to see the exact message sequence that is seen at the
> > When it works the reply_counter advance by 1 between the 4-Way handshake
> > rather than the 2 that the spec appears to require.  I also have a 
> > (non x2) which works correctly every time and does advance the 
> > by 2.
>What is this comment about spec requiring replay counter jumping by
>based on? The counter needs to increment for each new EAPOL-Key frame,
>but I'm not aware of any requirement for it to increase by two.
